JAAS Authentication Framework

Goal

The purpose of this laboratory exercise is twofold: to give an overview of the Java Authentication and Authorization Service (JAAS) and to provide hands on experience with the development of a user authentication mechanism.

Java Authentication and Authorization Service

The traditional security mechanisms for the Java Virtual Machine (JVM) provide a means to enforce access controls based on where the code was downloaded from (aka. the code base) and who signed it. These access controls are needed because of the distributed nature of the Java platform where applications may consist of packages that are dynamically downloaded from different software providers and where an applet can be downloaded over a public network and then run locally.

However, the first versions of the Java 2 platform did not provide a way to enforce similar access controls based on the principal who runs the code. To provide this type of access control, the Java 2 security architecture requires the following:

The Java Authentication and Authorization Service (JAAS) framework provides these enhancements. We focus on the use of JAAS for authentication in this laboratory work; authorization will be covered in a later lab.

Task

This lab is based on the JAAS Authentication Tutorial from Oracle.

The first task is to read through the tutorial and get a general idea of the architecture of the JAAS authentication framework.

The second task is to follow the steps in this tutorial to download, configure and run the sample code. At the end of this step you should have a running program that will authenticate the principal testUser with the password hard-coded into the Login Module.

The third and final task is to extend the existing SampleLoginModule.java with a code to read usernames and passwords from a password file. You are free to define appropriate limits on the lengths of usernames and passwords, but there should not be a hard limit on the number of users supported by the mechanism.

The extension of the SampleLoginModule provides an example of how pluggable authentication modules (PAM) allow easy replacement of existing authentication mechanisms. The extended LoginModule must ensure the confidentiality and integrity of passwords stored in the password file.

Evaluation

This lab is a mandatory part of the course, which means that you have to hand in a small report, which will be evaluated and counts towards your final grade. The report should follow the normal structure of a report, and it must include two separate sections documenting the result of Task 1 and Task 3 as outlined below.

The laboratory work will be individually assessed (i.e., you must each hand in your own individual report), but you are of course allowed to discuss this assignment with the other students in the course. Please indicate the name and student number of any student with whom you have had extensive discussions about the report in the Introduction. The full report should be limited to a maximum of 10 pages, excluding the source code. NOTE: You should not include all source files in the report, only the new SampleLoginModule.java and any other files that have been modified.

The laboratory work should be conducted on the following Wednesdays: 2 November and 9 November. The lab must be documented by a short report as described above. The report should be handed in electronically, using Campusnet, before 15.00 on Monday 14 November.

Useful Links

Christian Damsgaard Jensen Christian.Jensen@imm.dtu.dk
Last modified 31 October 2011.